Preface

Welcome to the second edition of our book on SSH, one of the world's most popular approaches to computer network security. Here's a sampling of what's new in this edition:

• Over 100 new features, options, and configuration keywords from the latest versions of OpenSSH and SSH Tectia (formerly known as SSH Secure Shell or SSH2 from ssh.com)

• Expanded material on the SSH-2 protocol and its internals, including a step-by-step tour through the transport, authentication, and connection phases

• Running OpenSSH on Microsoft Windows and Macintosh OS X

• All-new chapters on Windows software such as Tectia, SecureCRT, and PuTTY

• Scalable authentication techniques for large installations, including X.509 certificates

• Single sign-on between Linux and Windows via Kerberos/GSSAPI

• Logging and debugging in greater depth

• Tectia's metaconfiguration, subconfiguration, and plugins, with examples

...and much more! You might be surprised at how much is changed, but in the past four years, SSH has significantly evolved:

SSH-2 protocol triumphant

Back in 2001, only a handful of SSH products supported the relatively new SSH-2 protocol, and the primary implementation was commercial. Today, the old SSH-1 protocol is dying out and all modern SSH products, free and commercial, use the more secure and flexible SSH-2 protocol. We now recommend that everyone avoid SSH-1.

The rise of OpenSSH

This little upstart from the OpenBSD world has become the dominant implementation of SSH on the Internet, snatching the crown from the original, SSH Secure Shell (now called SSH Tectia, which we abbreviate as Tectia). Tectia is still more powerful than OpenSSH in important ways; but as OpenSSH is now included as standard with Linux, Solaris, Mac OS X, and beyond, it dominates in pure numbers.

The death of telnet and the r-tools

The insecure programs telnet, rsh, rcp, and rlogin--long the standards for communication between computers—are effectively extinct.^[1] FTP is also on the way out, except when operated behind firewalls or over private lines.

^[1] Not counting secure versions of these tools, e.g., when enhanced with Kerberos support. [1.6.3]

An explosion of Windows products

In 2001, there were a handful of SSH implementations for Windows; now there are dozens of GUI clients and several robust servers, not to mention a full port of the free OpenSSH.

Increased attacks

The Internet has experienced a sharp rise in computer intrusions. Now more than ever, your servers and firewalls should be configured to block all remote accesses except via SSH (or other secure protocols).

P.1. Protect Your Network with SSH

Let's start with the basics. SSH, the Secure Shell, is a reliable, reasonably easy to use, inexpensive security product for computer networks and the people who use them. It's available for most of today's operating systems.

Privacy is a basic human right, but on today's computer networks, privacy isn't guaranteed. Much of the data that travels on the Internet or local networks is transmitted as plain text, and may be captured and viewed by anybody with a little technical know-how. The email you send, the files you transmit between computers, even the passwords you type may be readable by others. Imagine the damage that can be done if an untrusted third party—a competitor, the CIA, your in-laws— intercepted your most sensitive communications in transit.

SSH is a small, unassuming, yet powerful and robust solution to many of these issues. It keeps prying eyes away from the data on your network. It doesn't solve every privacy and security problem, but it eliminates several of them effectively. Its major features are:

• A secure, client/server protocol for encrypting and transmitting data over a network

• Authentication (recognition) of users by password, host, or public key, plus optional integration with other popular authentication systems, such as PAM, Kerberos, SecurID, and PGP

• The ability to add security to insecure network applications such as Telnet, NNTP, VNC, and many other TCP/IP-based programs and protocols

• Almost complete transparency to the end user

• Implementations for most operating systems

P.2. Intended Audience

We've written this book for system administrators and technically minded users. Some chapters are suitable for a wide audience, while others are thoroughly technical and intended for computer and networking professionals.

P.2.1. End-User Audience

Do you have two or more computer accounts on different machines? SSH lets you connect one to another with a high degree of security. You can remotely log into one account from the other, execute remote commands, and copy files between accounts, all with the confidence that nobody can intercept your username, password, or data in transit.

Do you connect from a personal computer to an Internet service provider (ISP)? In particular, do you connect to a Unix shell account at your ISP? If so, SSH can make this connection significantly more secure. An increasing number of ISPs are running SSH servers for their users. In case your ISP doesn't, we'll show you how to run a server yourself.

Do you develop software? Are you creating distributed applications that must communicate over a network securely? Then don't reinvent the wheel: use SSH to encrypt the connections. It's a solid technology that may reduce your development time.

Even if you have only a single computer account, as long as it's connected to a network, SSH can still be useful. For example, if you've ever wanted to let other people use your account, such as family members or employees, but didn't want to give them unlimited use, SSH can provide a carefully controlled, limited-access channel into your account.

P.2.1.1. Prerequisites

We assume you are familiar with computers and networking as found in any modern business office or home system with an Internet connection. Ideally, you are familiar with network applications like Telnet and FTP. If you are a Unix user, you should be familiar with standard network applications (e.g., ftp) and the basics of writing shell scripts and Perl scripts.

P.2.2. System-Administrator Audience

If you're a Unix or Macintosh OS X system administrator, you probably know about SSH already. It's less well known in the Windows world, where secure logins are usually accomplished with radmin (Remote Administrator) and other remote desktop applications, and network file transfers are done using network shares. In contrast, SSH is more focused on the command line and is therefore more scriptable than the usual Windows techniques. SSH also can increase the security of other TCP/IP-based applications on your network by transparently "tunneling" them through SSH-encrypted connections. You will love SSH.

P.2.2.1. Prerequisites

In addition to the end-user prerequisites in the previous section, you should be familiar with user accounts and groups, networking concepts such as TCP/IP and packets, and basic encryption techniques.

P.3. Reading This Book

This book is divided roughly into three parts. The first three chapters are a general introduction to SSH, first at a high level for all readers (Chapters 1 and 2), and then in detail for technical readers (Chapter 3).

The next nine chapters cover SSH for Unix and similar operating systems (OpenBSD, Linux, Solaris, etc.). The first two (Chapters 4 and 5) cover SSH installation and serverwide configuration for system administrators. The next four (Chapters 6,7,8,9) cover advanced topics for end users, including key management, client configuration, per-account server configuration, and forwarding. We complete the Unix sequence with our recommended setup (Chapter 10), some detailed case studies (Chapter 11), and troubleshooting tips (Chapter 12). The remaining chapters cover SSH products for Windows and the Macintosh, plus brief overviews of implementations for other platforms.

Each section in the book is numbered, and we provide cross-references throughout the text. If further details are found in Section 7.1.2.2, we use the notation [7.1.2.2] to indicate it.

P.4. Our Approach

This book is organized by concept rather than syntax. We begin with an overview and progressively lead you deeper into the functionality of SSH. So, we might introduce a topic in Chapter 1, show its basic use in Chapter 2, and reveal advanced uses in Chapter 7. If you prefer the whole story at once, Appendix E presents all commands and configuration options in one location.

We focus strongly on three levels of server configuration, which we call compile-time, serverwide, and per-account configuration. Compile-time configuration (Chapter 4) means selecting appropriate options when you build the SSH clients and servers. Serverwide configuration (Chapter 5) applies when the SSH server is run and is generally done by system administrators, while per-account configuration (Chapter 8) can be done anytime by end users. It's vitally important for system administrators to understand the relationships and differences among these three levels. Otherwise, SSH may seem like a morass of random behaviors.

Although the bulk of material focuses on Unix implementations of SSH, you don't have to be a Unix user to understand it. Fans of Windows and the Macintosh may stick to the later chapters devoted to their platforms, but a lot of the meaty details are in the Unix chapters, so we recommend reading them, at least for reference.

P.5. Which Chapters Are for You?

We propose several "tracks" for readers with different interests and skills:

System administrators

Chapters 3,4-5 and 10 are the most important for understanding SSH and how to build and configure servers. However, as the administrator of a security product, you should read the whole book.

Unix users (not system administrators)

Chapters 1 and 2 provide an overview, and Chapters 6,7,8-9 discuss SSH clients in depth.

Windows end users

Read Chapters 1, 2, 13, 14, and 16,17-18 for starters, and then others as your interests guide you.

Macintosh end users

Read Chapters 1, 2, 13, and 15 for starters, and then others as your interests guide you.

Users of other computer platforms

Read Chapters 1, 2, and 13 for starters, and then others as your interests guide you.

Even if you are experienced with SSH, you'll likely find value in Chapters 3,4,5,6,7,8,9,10,11-12. We cover significant details the Unix manpages leave unclear or unmentioned, including major concepts, compile-time flags, server configuration, and forwarding.

P.6. Supported Platforms

This book covers Unix, Windows, and Macintosh implementations of SSH.

When we say "Unix" in this book, we mean the whole family of Unix-like operating systems such as Linux, OpenBSD, and Solaris.

SSH products are also available for the Amiga, BeOs, Java, OS/2, Palm Pilot, VMS, and Windows CE, and although we don't cover them, their principles are the same.

This book is current for the following Unix SSH versions:

OpenSSH	3.9[2]
SSH Tectia	4.2

^[2] See Appendix A for a preview of new features in OpenSSH 4.0.

Version information for non-Unix products is found in their respective chapters.

P.7. Disclaimers

We identify some program features as "undocumented." This means the feature isn't mentioned in the official documentation but works in the current release and/or is clear from the program source code. Undocumented features might not be officially supported by the software authors and can disappear in later releases.

P.8. Conventions Used in This Book

The following typographical conventions are used in this book:

Constant width

For configuration files, things that can be found in configuration files (such as keywords and configuration file options), source code, and interactive terminal sessions.

Constant width italic

For replaceable parameters on command lines or within configuration files.

Italic

For filenames, URLs, hostnames, command names, command-line options, and new terms where they are defined.

A_K

In figures, the object labeled A has been secured using a cryptographic key labeled K. "Secured" means encrypted, signed, or some more complex relationship, depending on the context. If A is secured using multiple keys (say, K and L), they are listed in the subscript, separated by commas: A _{K, L.}

---

Tip:

This icon indicates a tip, suggestion, or general note.

---

---

Warning:

This icon indicates a warning or caution.

---

P.9. Comments and Questions

Please address comments and questions concerning this book to the publisher:

O'Reilly Media, Inc.

1005 Gravenstein Highway North

Sebastopol, CA 95472

(800) 998-9938 (in the United States or Canada)

(707) 829-0515 (international/local)

(707) 829-0104 (fax)

There is a web page for this book, which lists errata, examples, or any additional information. You can access this page at:

http://www.oreilly.com/catalog/sshtdg2/

To comment or ask technical questions about this book, send email to:

bookquestions@oreilly.com

For more information about books, conferences, Resource Centers, and the O'Reilly Network, see the O'Reilly web site at:

http://www.oreilly.com

P.10. Safari Enabled

When you see a Safari® Enabled icon on the cover of your favorite technology book, it means the book is available online through the O'Reilly Network Safari Bookshelf.

Safari offers a solution that's better than e-books. It's a virtual library that lets you easily search thousands of top technology books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.

P.11. Acknowledgments

Our biggest thanks go to the two parties who made this second edition a reality: the many readers who purchased the first edition, and our editor Mike Loukides. We couldn't have done this without you!

We thank the O'Reilly "tools" team for Frame typesetting advice, and Rob Romano for turning our hasty sketches into polished illustrations. Special thanks to the O'Reilly production team, Keith Fahlgren, John Bickelhaupt, Audrey Doyle, and Mary Brady, for their hard work creating the final package.

We thank our excellent technical reviewers for their thorough reading and insightful comments: Markus Friedl and Damien Miller of the OpenSSH team, Paul Lussier, Drew Simonis, and Mike Smith. Big thanks also to several vendors of SSH products who provided us with free copies of their software, reviewed the manuscript, and answered our questions. From SSH Communications Security, maker of SSH Tectia, we thank Nicolas Gabriel-Robez, Tommi Lampila, Sami J. Lehtinen, Timo J. Rinne, Janne Saarikko, Petri Sakkinen, Vesa Vatka, and Timo Westerberg. From VanDyke Software, maker of SecureCRT, SecureFX, and VShell, we thank Jill Christian, Maureen Jett, Marc Orchant, and Tracy West. SSH Communications Security also kindly gave us permission to include the sshregex manpage (Appendix B) and the sshdebug.h error codes (Appendix C).

Dan Barrett thanks Lisa and Sophie for bearing the late-night writing and hacking sessions required for this book. He also thanks Alex Schowtka and Robert Dulaney of VistaPrint, his employer, for their kind permission to work on this project. Bob Byrnes thanks Alison and Rebecca for all of their help and understanding throughout the many nights and weekends when he was glued to his keyboard. Richard Silverman thanks his coauthors for their unfailing good humor and patience—even when a sudden decision to change jobs and move out of state threw his book schedule into chaos. He also thanks his various friends, especially Bob Stepno, for listening to his endless chatter about The Book. It's truly a wonder they still speak to him at all.